Tree [25c176] / contrib / asdf-install /
History



File Date Author Commit
.cvsignore 2003-08-16 Christophe Rhodes Christophe Rhodes [b7cfa0] 0.8.2.34:
Makefile 2004-04-14 Daniel Barlow Daniel Barlow [e791de] 0.8.9.42
README 2003-11-10 Daniel Barlow Daniel Barlow [1e9a53] 0.8.5.30
asdf-install.asd 2013-02-23 Francois-Rene Rideau Francois-Rene Rideau [25c176] Deliver each contrib as a single FASL. Don't im...
defpackage.lisp 2006-01-12 Andreas Fuchs Andreas Fuchs [d8ff33] 0.9.7.37:
installer.lisp 2010-08-24 Christophe Rhodes Christophe Rhodes [f14970] 1.0.41.56: Fix for asdf-install (launchpad bug ...

Read Me

Downloads and installs an ASDF system or anything else that looks
convincingly like one, including updating the ASDF:*CENTRAL-REGISTRY*
symlinks for all the toplevel .asd files it contains.  Please read
this file before use: in particular: this is an automatic tool that
downloads and compiles stuff it finds on the 'net.  Please look at the
SECURITY section and be sure you understand the implications


= USAGE

This can be used either from within an SBCL instance:

* (require 'asdf-install)
* (asdf-install:install 'xlunit) ; for example

or standalone from the shell:

$ sbcl-asdf-install xlunit

Each argument may be -

 - The name of a cliki page.  asdf-install visits that page and finds
   the download location from the `:(package)' tag - usually rendered
   as "Download ASDF package from ..."

 - A URL, which is downloaded directly

 - A local tar.gz file, which is installed


= SECURITY CONCERNS: READ THIS CAREFULLY

When you invoke asdf-install, you are asking SBCL to download,
compile, and install software from some random site on the web.  Given
that it's indirected through a page on CLiki, any malicious third party
doesn't even need to hack the distribution server to replace the
package with something else: he can just edit the link.  

For this reason, we strongly recommend that package providers use PGP
or GPG to crypto-sign their packages (see details at the URL in the
PACKAGE CREATION section) and that users check the signatures.
asdf-install makes three checks

 1) that the signature exists

 2) that there is a GPG trust relationship between the package signer
    and the installer (i.e. that the package comes from someone whose
    key you've signed, or someone else you have GPG trust with has signed)

 3) that the signature is one of the ones listed in
    $HOME/.sbcl/trusted-uids.lisp as a valid supplier of Lisp code.


= CUSTOMIZATION

If the file $HOME/.asdf-install exists, it is loaded.  This can be
used to override the default values of exported special variables.
Presently these are 

*PROXY*         
   defaults to $http_proxy environment variable
*CCLAN-MIRROR*        
   preferred/nearest CCLAN node.  See the list at 
   http://ww.telent.net/cclan-choose-mirror
*SBCL-HOME*
   Set from $SBCL_HOME environment variable.  This should already be 
   correct for whatever SBCL is running, if it's been installed correctly
*LOCATIONS*
   Possible places in the filesystem to install packages into.  See default
   value for format


= PACKAGE CREATION

If you want to create your own packages that can be installed using this
loader, see the "Making your package downloadable..." section at
<http://www.cliki.net/asdf-install> 


= HACKERS NOTE

Listen very carefully: I will say this only as often as it appears to
be necessary to say it.  asdf-install is not a good example of how to
write a URL parser, HTTP client, or anything else, really.
Well-written extensible and robust URL parsers, HTTP clients, FTP
clients, etc would definitely be nice things to have, but it would be
nicer to have them in CCLAN where anyone can use them - after having
downloaded them with asdf-install - than in SBCL contrib where they're
restricted to SBCL users and can only be updated once a month via SBCL
developers.  This is a bootstrap tool, and as such, will tend to
resist changes that make it longer or dependent on more other
packages, unless they also add to its usefulness for bootstrapping.


= TODO

a) gpg signature checking would be better if it actually checked against
a list of "trusted to write Lisp" keys, instead of just "trusted to be
who they say they are"

e) nice to have: resume half-done downloads instead of starting from scratch
every time.  but right now we're dealing in fairly small packages, this is not
an immediate concern